fix(admin): eliminate GoTrue empty-body 500s under bulk load (retry-all + undici keep-alive + sequential bulk), CSV formula-injection guard

app/api/admin/users/[id]/role/route.ts

@@ -1,6 +1,7 @@
 import { type NextRequest } from 'next/server';
 import { requireAdminApi } from '@/lib/auth/admin-guard';
 import { getSupabaseAdmin } from '@/lib/supabase/admin';
+import { withAdminRetry } from '@/lib/admin/retry';
 import { logAdminAction } from '@/lib/auth/audit';
 import { isUuid } from '@/lib/admin/validators';
 import { jsonNoStore } from '@/lib/admin/response';
@@ -42,17 +43,24 @@ export async function POST(
 
   const admin = getSupabaseAdmin();
 
-  // Merge with existing app_metadata so we don't clobber other keys.
-  const { data: existing, error: getErr } =
-    await admin.auth.admin.getUserById(id);
+  // Merge with existing app_metadata so we don't clobber other keys. Retry the
+  // read on transient empty-body responses so a burst-load flake isn't
+  // misreported as a 404; a genuine not-found still falls through below.
+  const { data: existing, error: getErr } = await withAdminRetry(() =>
+    admin.auth.admin.getUserById(id),
+  );
   if (getErr || !existing.user) {
     return jsonNoStore({ error: 'user not found' }, { status: 404 });
   }
   const merged = { ...(existing.user.app_metadata ?? {}), role };
 
-  const { error } = await admin.auth.admin.updateUserById(id, {
-    app_metadata: merged,
-  });
+  // `updateUserById` is idempotent here (same app_metadata), so retrying a
+  // transient empty-body write is safe.
+  const { error } = await withAdminRetry(() =>
+    admin.auth.admin.updateUserById(id, {
+      app_metadata: merged,
+    }),
+  );
   if (error) {
     console.error('admin user.role failed', error);
     return jsonNoStore({ error: 'internal error' }, { status: 500 });